[KLUG Members] ACCEPT all -- anywhere anywhere, eh?
Robert G. Brown
members@kalamazoolinux.org
Thu, 09 Jan 2003 20:06:27 -0500
Adam Williams <awilliam@whitemice.org> queried as follows:
>Is the redhat firewall config tool goobered?
Dunno, we can discuss what "goobered" means somewhere else.
>Chain INPUT (policy ACCEPT)
>target prot opt source destination
>RH-Lokkit-0-50-INPUT all -- anywhere anywhere
>...
>Chain RH-Lokkit-0-50-INPUT (1 references)
>target prot opt source destination
>ACCEPT tcp -- anywhere anywhere tcp dpt:http
>flags:SYN,RST,ACK/SYN
>ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
>flags:SYN,RST,ACK/SYN
>ACCEPT all -- anywhere anywhere
>ACCEPT udp -- k2.iserv.net anywhere udp spt:domain
>ACCEPT udp -- everest.iserv.net anywhere udp spt:domain
>REJECT tcp -- anywhere anywhere tcp
>flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
>REJECT udp -- anywhere anywhere udp reject-with
>icmp-port-unreachable
>
>Doesn't the "ACCEPT all -- anywhere anywhere" negate all the rules below it?
UM, it would probably obviate them, yes. I have this little munchkin on my
shoulder (perhaps a degooberizer, or maybe a degooberator?) that tells me the
"all" ought to be a "tcp".
However, I don't really like this whole setup, mostly 'cuz I prefer a policy
of REJECT or DENY... why they don't do this isn't clear to me. The stateful
nature of some rules is helpful, though.
Regards,
---> RGB <---